Two security flaws have been spotted in TP-Link routers, and one is the result of the company's patch for a previous flaw.
That’s according to Forescout Research's Vedere Labs, which spotted a flaw (CVE-2025-7850) that allows OS command injection via WireGuard VPN settings.
Another (CVE-2025-7851) allows unauthorized root access via residual debug code following a patch of a previous flaw.
Researchers Stanislav Dashevskyi and Francesco La Spina said they partially pinned their discovery on the use of a technique called "vulnerability variant hunting".
This is a technique whereby an attacker – or in this case, researcher – looks for new ways to exploit a known bug rather than take the "time-consuming and labor-intensive" effort of looking for an entirely fresh one.
"Vendors typically patch the reported issues, but they do not always perform root-cause remediation across the codebase," the researchers noted.
ITPro contacted TP-Link for comment, but has yet to receive a response. The TP-Link Omada security advisory scores the flaws as critical and high in terms of severity.
"Attackers may execute arbitrary commands on the device’s underlying operating system,” the advisory notes.
What TP-Link products are affected?
Researchers noted that the newly discovered vulnerabilities impact TP-Link Omada and Festa VPN routers. Both flaws allowed them to gain root privileges and “served as the foundation for broader vulnerability research across additional TP-Link device families.
One of the flaws (CVE-2025-7851) is the result of TP-Link's patch for a previous flaw (CVE-2024-21827) which left debug functionality accessible, creating an access route for attackers to take advantage of.
Last year, TP-Link fixed CVE-2024-21827 after Cisco Talos reported it allowed arbitrary command execution by taking advantage of used leftover debug code.
"After TP-Link patched it in 2024, devices could no longer be rooted this way — at least until we uncovered a new path," the researchers noted.
That was because the debug functionality was left in – likely because it was useful for developers or support staff, researchers noted – but hidden away so it would be harder to access.
Indeed, finding a route to that debug functionality helped the duo spot the other flaw (CVE-2025-7850).
"The WireGuard VPN settings in the Web UI expose a private-key field that is not properly sanitized, allowing an authenticated user to inject arbitrary OS commands that the device executes with root privileges," they noted.
Using this bug, researchers were able to take advantage of the first flaw. Beyond the issues detailed in the Verdere Labs report, the researchers found additional vulnerabilities that have been reported to TP-Link.
These are expected to be addressed in a patch due to arrive early next year.
"Our protocol analysis also uncovered multiple, additional vulnerabilities — several of them critical and remotely exploitable," the researchers noted. "The issues are currently under coordinated disclosure with the vendor."
What should companies do?
Vedere Labs' researchers advised companies to apply the already available firmware patches. The advisory from Omada also advises changing the password after the firmware upgrade to prevent leakage.
"Apply vendor firmware updates for TP-Link Omada and Festa VPN routers, as well as any other internet-facing devices as they become available," the Verdere Labs researchers said.
"We found the vulnerabilities on firmware version V2.6_2.1.3 (the latest at the time), but several versions are affected."
The researchers also advised the addition of web application firewalls to block command injection and web-based attacks, and to lockdown remote administration access where possible.
Companies should, as ever, log all admin sessions and router traffic to spot anomalies and review vendor support mechanisms on any devices.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Clunky tech is costing developers 20 working days a yearNews Developers are struggling with an array of issues, and no, AI isn’t making things easier
-
Veeam snaps up DSPM specialist Securiti AI for $1.73 billionNews Veeam will integrate Securiti AI’s data security posture management and AI trust capabilities into its data resilience platform
-
A sneaky cyber espionage campaign is exploiting IoT devices and home office routers – here's what you need to knowNews Researchers at SecurityScorecard have issued a warning about a new China-linked threat campaign, dubbed 'LapDogs', targeting IoT devices and home routers.
-
Edge devices are now your weakest link: VPNs, firewalls, and routers were the leading source of initial compromise in 30% of incidents last year – here’s whyNews Compromised network edge devices have rapidly emerged as one of the biggest attack points for small and medium businesses.
